> Shorewall can't tell you the pid because Netfilter doesn't provide a
> capability that would allow Shorewall to request the PID in log messages!
>
>>
>> I can't believe that no one's ever thought of these things before.
>>
>
> Shorewall is a firewall configuration tool, not an IDS. If you want an
On 8/7/2014 5:01 PM, merc1...@f-m.fm wrote:
>
> On Thu, Aug 7, 2014, at 16:23, Tom Eastep wrote:
>>
>> To get an immediate indication when a connection is being made, you can
>> install the 'conntrack' package, then run:
>>
>> conntrack -E -p tcp --dport 13
>
> The basic problem is I can ne
On Thu, Aug 7, 2014, at 16:23, Tom Eastep wrote:
> On 8/7/2014 2:28 PM, merc1...@f-m.fm wrote:
> >
> > On Thu, Aug 7, 2014, at 13:27, Tom Eastep wrote:
> >> Once you stopped the daemons, the worrying messages also stopped?
> >
> > Stopped the daemons this morning ~9, and just noticed these, for
On 8/7/2014 2:28 PM, merc1...@f-m.fm wrote:
>
> On Thu, Aug 7, 2014, at 13:27, Tom Eastep wrote:
>> Once you stopped the daemons, the worrying messages also stopped?
>
> Stopped the daemons this morning ~9, and just noticed these, for the
> first time ever... my username:
>
> [63829.975476] Shor
On 8/7/2014 9:35 AM, merc1...@f-m.fm wrote:
> Tom, attached please find my # shorewall dump.
>
> This machine is my laptop. I have it set up, a number of reverse SSH
> tunnels to the server to extend ports for services to this laptop. This
> is a very good and secure method of running daemons in
On 8/6/2014 4:32 PM, merc1...@f-m.fm wrote:
> On Wed, Aug 6, 2014, at 13:21, Tom Eastep wrote:
>> I'm still unclear about the topology. Is Shorewall installed on the
>> "workstation". Is the Shorewall box the "router" or do you have another
>> on-premises router?
>>
>> The Shorewall system seems to
On Wed, Aug 6, 2014, at 13:21, Tom Eastep wrote:
> I'm still unclear about the topology. Is Shorewall installed on the
> "workstation". Is the Shorewall box the "router" or do you have another
> on-premises router?
>
> The Shorewall system seems to have both an ethernet interface and a
> wireless
On 8/6/2014 11:51 AM, merc1...@f-m.fm wrote:
> On Wed, Aug 6, 2014, at 10:54, Tom Eastep wrote:
>
>> It is interesting that the SOURCE IP address is an RFC-1918 address; is
>> that the IP address of a local interface? If so, what is that interface
>> used for? How is it defined to Shorewall?
>
> Y
On Wed, Aug 6, 2014, at 10:54, Tom Eastep wrote:
> Did you specify logging on your ACCEPT rule -- I'm guessing not. For
> 'info' level logging:
>
> ACCEPT:info net fw ...
You guess right. Now it's set. I now see why this is necessary even
though I have info set in policy; it hits
On 8/6/2014 10:54 AM, Tom Eastep wrote:
> On 8/6/2014 9:58 AM, merc1...@f-m.fm wrote:
>
>>
>> Ok I've now studied the new ways of Shorewall and have my systems
>> updated to the ?SECTIONs.
>>
>> But now firewall hits to 25 and 110 have stopped, maybe because there's
>> a keylogger and they know
On 8/6/2014 9:58 AM, merc1...@f-m.fm wrote:
>
> Ok I've now studied the new ways of Shorewall and have my systems
> updated to the ?SECTIONs.
>
> But now firewall hits to 25 and 110 have stopped, maybe because there's
> a keylogger and they know I'm on to them.
Did you specify logging on your
fw-net means that the traffic is from the firewall itself to the net zone.
-Original Message-
From: merc1...@f-m.fm [mailto:merc1...@f-m.fm]
Sent: 6. august 2014 18:58
To: Shorewall Users
Subject: Re: [Shorewall-users] Suspected Trojan
On Mon, Aug 4, 2014, at 14:32, Tom Eastep wrote
On Mon, Aug 4, 2014, at 14:32, Tom Eastep wrote:
> On 8/4/2014 12:31 PM, merc1...@f-m.fm wrote:
> > On Mon, Aug 4, 2014, at 09:48, Tom Eastep wrote:
> >> You can allow the connection in the NEW section but DROP the traffic in
> >> the ESTABLISHED section. That way, the connection will be made and y
On 8/4/2014 4:19 PM, merc1...@f-m.fm wrote:
> On Mon, Aug 4, 2014, at 16:07, Tom Eastep wrote:
>> On 8/4/2014 3:58 PM, merc1...@f-m.fm wrote:
>>> On Mon, Aug 4, 2014, at 15:06, Tom Eastep wrote:
These come FIRST and you must code the section headers as I showed you!!!
>>>
>>> Ok I've made the
On Mon, Aug 4, 2014, at 16:07, Tom Eastep wrote:
> On 8/4/2014 3:58 PM, merc1...@f-m.fm wrote:
> > On Mon, Aug 4, 2014, at 15:06, Tom Eastep wrote:
> >> These come FIRST and you must code the section headers as I showed you!!!
> >
> > Ok I've made the change. No wonder, still nothing on my monito
On 8/4/2014 3:58 PM, merc1...@f-m.fm wrote:
> On Mon, Aug 4, 2014, at 15:06, Tom Eastep wrote:
>> These come FIRST and you must code the section headers as I showed you!!!
>
> Ok I've made the change. No wonder, still nothing on my monitor.
>
> Probably best I show my rules file at this point:
On Mon, Aug 4, 2014, at 15:06, Tom Eastep wrote:
> These come FIRST and you must code the section headers as I showed you!!!
Ok I've made the change. No wonder, still nothing on my monitor.
Probably best I show my rules file at this point:
https://pastee.org/9mk6q
--
http://www.fastmail.fm
On 8/4/2014 2:54 PM, merc1...@f-m.fm wrote:
> On Mon, Aug 4, 2014, at 14:32, Tom Eastep wrote:
>> On 8/4/2014 12:31 PM, merc1...@f-m.fm wrote:
>>> On Mon, Aug 4, 2014, at 09:48, Tom Eastep wrote:
You can allow the connection in the NEW section but DROP the traffic in
the ESTABLISHED secti
On Mon, Aug 4, 2014, at 14:32, Tom Eastep wrote:
> On 8/4/2014 12:31 PM, merc1...@f-m.fm wrote:
> > On Mon, Aug 4, 2014, at 09:48, Tom Eastep wrote:
> >> You can allow the connection in the NEW section but DROP the traffic in
> >> the ESTABLISHED section. That way, the connection will be made and y
On 8/4/2014 12:31 PM, merc1...@f-m.fm wrote:
> On Mon, Aug 4, 2014, at 09:48, Tom Eastep wrote:
>> You can allow the connection in the NEW section but DROP the traffic in
>> the ESTABLISHED section. That way, the connection will be made and you
>> will be able to see it with netstat or ss, but no d
On Mon, Aug 4, 2014, at 09:48, Tom Eastep wrote:
> You can allow the connection in the NEW section but DROP the traffic in
> the ESTABLISHED section. That way, the connection will be made and you
> will be able to see it with netstat or ss, but no data will be sent.
I'm one of those old-tyme Shore
On 8/4/2014 9:33 AM, merc1...@f-m.fm wrote:
>
> On Sun, Aug 3, 2014, at 11:52, Tom Eastep wrote:
>> On 8/3/2014 10:48 AM, Tom Eastep wrote:
>>> On 8/3/2014 10:03 AM, merc1...@f-m.fm wrote:
Lately I've been noticing that something is hammering away trying to get
out ports 25 and 110.
On Sun, Aug 3, 2014, at 11:52, Tom Eastep wrote:
> On 8/3/2014 10:48 AM, Tom Eastep wrote:
> > On 8/3/2014 10:03 AM, merc1...@f-m.fm wrote:
> >>
> >> Lately I've been noticing that something is hammering away trying to get
> >> out ports 25 and 110. Since I don't use those and they are closed, I
On 8/3/2014 10:48 AM, Tom Eastep wrote:
> On 8/3/2014 10:03 AM, merc1...@f-m.fm wrote:
>>
>> Lately I've been noticing that something is hammering away trying to get
>> out ports 25 and 110. Since I don't use those and they are closed, I am
>> suspicious. https://pastee.org/k73u8 The destination
On 8/3/2014 10:03 AM, merc1...@f-m.fm wrote:
>
> Lately I've been noticing that something is hammering away trying to get
> out ports 25 and 110. Since I don't use those and they are closed, I am
> suspicious. https://pastee.org/k73u8 The destination IP isn't running
> POP or SMTP either.
>
>
On 8/3/2014 10:03 AM, merc1...@f-m.fm wrote:
>
> Lately I've been noticing that something is hammering away trying to get
> out ports 25 and 110. Since I don't use those and they are closed, I am
> suspicious. https://pastee.org/k73u8 The destination IP isn't running
> POP or SMTP either.
>
>
Lately I've been noticing that something is hammering away trying to get
out ports 25 and 110. Since I don't use those and they are closed, I am
suspicious. https://pastee.org/k73u8 The destination IP isn't running
POP or SMTP either.
Unfortunately, Shorewall doesn't have a mechanism to associ
27 matches
Mail list logo
